diff options
author | Christina Fu <cfu@redhat.com> | 2017-06-26 18:09:55 -0700 |
---|---|---|
committer | Christina Fu <cfu@redhat.com> | 2017-07-07 16:51:22 -0700 |
commit | 65b1242cd139e6306fb3e039193a3a6b223ea9b1 (patch) | |
tree | f192920abad6f9c9546503ad07521c5a9e2aca4d /base/server/cms | |
parent | 876d13c6d20e7e1235b9efbd601b47315debb492 (diff) | |
download | pki-65b1242cd139e6306fb3e039193a3a6b223ea9b1.tar.gz pki-65b1242cd139e6306fb3e039193a3a6b223ea9b1.tar.xz pki-65b1242cd139e6306fb3e039193a3a6b223ea9b1.zip |
Ticket #2757 CMC enrollment profiles for system certificates
This patch supports CMC-based system certificate requests.
This patch contains the following:
* The code in CMCAuth (agent-based) to check ssl client auth cert against the CMC signing cert
* The cmc-based system enrollment profiles:
caCMCauditSigningCert.cfg
caCMCcaCert.cfg
caCMCkraStorageCert.cfg
caCMCkraTransportCert.cfg
caCMCocspCert.cfg
caCMCserverCert.cfg
caCMCsubsystemCert.cfg
* new URI's in web.xml as new access points
Usage example can be found here:
http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#Examples_.28System_Certificates.29
Diffstat (limited to 'base/server/cms')
4 files changed, 60 insertions, 4 deletions
diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java index 66a356965..97d51715d 100644 --- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java +++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java @@ -29,6 +29,7 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.math.BigInteger; +import java.security.cert.X509Certificate; import java.security.MessageDigest; import java.security.PublicKey; import java.util.Enumeration; @@ -247,6 +248,10 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, String auditCertSubject = ILogger.UNIDENTIFIED; String auditSignerInfo = ILogger.UNIDENTIFIED; + SessionContext auditContext = SessionContext.getExistingContext(); + X509Certificate clientCert = + (X509Certificate) auditContext.get(SessionContext.SSL_CLIENT_CERT); + // ensure that any low-level exceptions are reported // to the signed audit log and stored as failures try { @@ -362,7 +367,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, String userid = "defUser"; String uid = "defUser"; if (checkSignerInfo) { - IAuthToken agentToken = verifySignerInfo(authToken, cmcFullReq); + IAuthToken agentToken = verifySignerInfo(auditContext, authToken, cmcFullReq); if (agentToken == null) { CMS.debug(method + "agentToken null"); throw new EBaseException("CMCAuth: agent verifySignerInfo failure"); @@ -813,8 +818,12 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, level, "CMC Authentication: " + msg); } - protected IAuthToken verifySignerInfo(AuthToken authToken, SignedData cmcFullReq) throws EBaseException { - + protected IAuthToken verifySignerInfo( + SessionContext auditContext, + AuthToken authToken, + SignedData cmcFullReq) throws EBaseException { + String method = "CMCAuth: verifySignerInfo: "; + String msg = ""; EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); OBJECT_IDENTIFIER id = ci.getContentType(); OCTET_STRING content = ci.getContent(); @@ -823,6 +832,11 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, CryptoToken signToken = null; CryptoToken savedToken = null; CryptoManager cm = null; + + if (auditContext == null) { + CMS.debug(method + " auditConext can't be null"); + return null; + } try { cm = CryptoManager.getInstance(); ByteArrayInputStream s = new ByteArrayInputStream(content.toByteArray()); @@ -910,6 +924,34 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, si.verify(digest, id); } else { CMS.debug("CMCAuth: found signing cert... verifying"); + + X509Certificate clientCert = + (X509Certificate) auditContext.get(SessionContext.SSL_CLIENT_CERT); + if (clientCert == null) { + // createAuditSubjectFromCert(auditContext, x509Certs[0]); + msg = "missing SSL client authentication certificate;"; + CMS.debug(method + msg); + s.close(); + throw new EMissingCredential( + CMS.getUserMessage("CMS_AUTHENTICATION_NO_CERT")); + } + netscape.security.x509.X500Name clientPrincipal = + (X500Name) clientCert.getSubjectDN(); + + netscape.security.x509.X500Name cmcPrincipal = + (X500Name) x509Certs[0].getSubjectDN(); + + // check ssl client cert against cmc signer + if (!clientPrincipal.equals(cmcPrincipal)) { + msg = "SSL client authentication certificate and CMC signer do not match"; + CMS.debug(method + msg); + s.close(); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); + } else { + CMS.debug(method + "ssl client cert principal and cmc signer principal match"); + } + PublicKey signKey = cert.getPublicKey(); PrivateKey.Type keyType = null; String alg = signKey.getAlgorithm(); diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java index ab9a94ab8..ff82ade9c 100644 --- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java @@ -1078,6 +1078,8 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, s.close(); throw new EInvalidCredentials( CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); + } else { + CMS.debug(method + "ssl client cert principal and cmc signer principal match"); } PublicKey signKey = cert.getPublicKey(); diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java index 7dfaddac4..93d0a74ae 100644 --- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java @@ -198,6 +198,7 @@ public abstract class EnrollProfile extends BasicProfile if (signingUserSerial != null) { donePOI = true; } + // catch for invalid request cmc_msgs = parseCMC(locale, cert_request, donePOI); if (cmc_msgs == null) { @@ -723,6 +724,17 @@ public abstract class EnrollProfile extends BasicProfile byte randomSeed[] = null; UTF8String ident_s = null; SessionContext context = SessionContext.getContext(); + String authManagerId = (String) context.get(SessionContext.AUTH_MANAGER_ID); + if (authManagerId == null) { + CMS.debug(method + "authManagerId null.????"); + //unlikely, but... + authManagerId = "none"; + } else { + CMS.debug(method + "authManagerId =" + authManagerId); + } + if(authManagerId.equals("CMCAuth")) { + donePOI = true; + } boolean id_cmc_revokeRequest = false; if (!context.containsKey("numOfControls")) { diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java index ded237b8d..63c9b82d2 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java @@ -494,7 +494,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { /////////////////////////////////////////////// String tmpCertSerialS = ctx.get(IAuthManager.CRED_CMC_SIGNING_CERT); if (tmpCertSerialS != null) { - // unlikely to happenm, but do this just in case + // unlikely to happen, but do this just in case CMS.debug("ProfileSubmitCMCServlet: found existing CRED_CMC_SIGNING_CERT in ctx for CMCUserSignedAuth:" + tmpCertSerialS); CMS.debug("ProfileSubmitCMCServlet: null it out"); ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, ""); |